US12118088B2ActiveUtilityA1

Moderator system for a security analytics framework

50
Assignee: ADVANCED RISC MACH LTDPriority: Apr 22, 2020Filed: Apr 22, 2020Granted: Oct 15, 2024
Est. expiryApr 22, 2040(~13.8 yrs left)· nominal 20-yr term from priority
G06N 3/09G06F 2221/034G06F 21/85G06F 21/72G06F 9/54G06F 21/566G06N 3/045G06N 20/20G06F 21/552
50
PatentIndex Score
0
Cited by
33
References
18
Claims

Abstract

A moderator system that can receive outputs of various stages of the security analytic framework and can receive input from external sources to provide information about emerging styles of attacks. One or more models/behavioral profiles can be curated by the moderator system, and the moderator system can provide updates to components of the security analytics framework.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method to provide moderation to a security analytics framework for a chip or particular integrated circuit (IC), the method comprising:
 sending a first model to a risk predictor of the security analytics framework for the chip or particular IC, wherein the first model includes context information for a particular application of the chip or particular IC; 
 receiving operational data of the chip or particular IC; 
 performing training on one or more stored models including the first model using the received operational data to generate at least a second model; 
 sending the second model to at least the risk predictor; 
 determining whether to make an adjustment to a current security configuration of the security analytics framework for the chip or particular IC based on at least the received operational data, wherein the current security configuration comprises a first configuration of one or more elements of interest of a plurality of elements of interest on the chip or particular IC that a data scavenger of the security analytics framework captures, wherein the one or more elements of interest are selectively collected according to the first configuration, and wherein the plurality of elements of interest on the chip or particular IC includes an element of interest captured from a performance counter; 
 determining a particular security configuration for the security analytics framework for the chip or particular IC based on at least the received operational data; and 
 sending the particular security configuration to at least one component of the security analytics framework for the chip or particular IC, wherein the at least one component comprises the data scavenger, wherein the particular security configuration updates the first configuration to a second configuration of elements of interest of the plurality of elements of interest on the chip or particular IC that the data scavenger captures to provide updated operational data of the chip or particular IC, wherein the elements of interest that are selectively collected is changed in the second configuration according to an updated configuration signal from the particular security configuration. 
 
     
     
       2. The method of  claim 1 , wherein receiving the operational data of the chip or particular IC comprises:
 receiving the operational data from at least the data scavenger of the security analytics framework for the chip or particular IC. 
 
     
     
       3. The method of  claim 1 , wherein receiving the operational data of the chip or particular IC comprises:
 receiving the operational data from at least a data analyzer of the security analytics framework for the chip or particular IC. 
 
     
     
       4. The method of  claim 1 , wherein receiving the operational data of the chip or particular IC comprises:
 receiving the operational data from at least the risk predictor. 
 
     
     
       5. The method of  claim 4 , wherein the operational data from the risk predictor comprises a numeric value that indicates a threat score. 
     
     
       6. The method of  claim 1 , further comprising:
 receiving, by an application programming interface, data from a third party indicating a global model; and 
 sending the global model to at least the risk predictor. 
 
     
     
       7. The method of  claim 1 , wherein sending the particular security configuration to at least one component of the security analytics framework for the chip or particular IC further comprises sending an updated model to a data analyzer of the security analytics framework for the chip or particular IC, wherein the updated model comprises a predefined metric that the data analyzer uses to identify patterns. 
     
     
       8. The method of  claim 1 , wherein the updated configuration signal from the particular security configuration is based on the second model. 
     
     
       9. A moderator system to moderate a security analytics framework for a chip or particular integrated circuit (IC), the moderator system comprising:
 a moderator controller; 
 an interface for communicating with components of the security analytics framework, the components of the security analytics framework comprising a data scavenger, a data analyzer; and 
 
       a risk predictor; and
 a data resource storing one or more models of particular operations of the chip or particular IC; 
 wherein the moderator controller comprises one or more processors and a local storage having instructions stored thereon that when executed direct the moderator system to:
 send, via the interface, a first model to the risk predictor, wherein the first model includes context information for a particular application of the chip or particular IC; 
 receive, via the interface, operational data of the chip or particular IC; 
 perform training on the one or more stored models including the first model using the received operational data to generate at least a second model; 
 send, via the interface, the second model to at least the risk predictor; 
 determine, whether to make an adjustment to a current security configuration of the security analytics framework for the chip or particular IC based on at least the received operational data, wherein the current security configuration comprises a first configuration of one or more elements of interest of a plurality of elements of interest on the chip or particular IC that the data scavenger captures, wherein the one or more elements of interest are selectively collected according to the first configuration, and wherein the plurality of elements of interest on the chip or particular IC includes an element of interest captured from a performance counter; 
 determine a particular security configuration for the security analytics framework for the chip or particular IC based on at least the received operational data; and 
 send, via the interface, the particular security configuration to at least one component of the components of the security analytics framework, wherein the at least one component comprises the data scavenger, wherein the particular security configuration updates the first configuration to a second configuration of elements of interest of the plurality of elements of interest on the chip or particular IC that the data scavenger captures to provide updated operational data of the chip or particular IC wherein the elements of interest that are selectively collected is changed in the second configuration according to an updated configuration signal from the particular security configuration. 
 
 
     
     
       10. The moderator system of  claim 9 , further comprising:
 an encoder and decoder for encoding and decoding sensitive data transmitted and received via the interface. 
 
     
     
       11. The moderator system of  claim 9 , further comprising:
 an update model application programming interface (API), wherein the update model API receives a model from a third party to update a particular component of the security analytics framework for the chip or particular IC. 
 
     
     
       12. The moderator system of  claim 9 , further comprising:
 a data API, wherein the data API provides the received operational data to a third party. 
 
     
     
       13. The moderator system of  claim 9 , wherein the instructions to send the particular security configuration to at least one component of the components of the security analytics framework direct the moderator system to:
 send an updated model to the data analyzer, wherein the updated model comprises a predefined metric that the data analyzer uses to identify patterns. 
 
     
     
       14. The moderator system of  claim 9 , wherein the chip or particular IC is in a network component. 
     
     
       15. The moderator system of  claim 9 , wherein the chip or particular IC is a system on a chip with at least one secure domain for sensitive information or cryptographic functions. 
     
     
       16. The moderator system of  claim 9 , wherein the chip or particular IC comprises an integrated Services Identity Module (iSIM). 
     
     
       17. The moderator system of  claim 9 , wherein the chip or particular IC is in a set top box. 
     
     
       18. The moderator system of  claim 9 , wherein the updated configuration signal from the particular security configuration is based on the second model.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.